| 12976 |
2021-10-01 09:29
|
 bita.exe 8d62813dea222d240b0170fd581d97f4
RAT PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(192.147.157.177)
pastebin.pl(168.119.93.163) - mailcious
168.119.93.163 - mailcious
192.147.157.177
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12977 |
2021-10-01 09:31
|
 EXCEL.exe cb12b24b0f69225693168e9c35761a1b
RAT Generic Malware Antivirus AntiDebug AntiVM PE File .NET EXE PE32 MSOffice File VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security suspicious process WriteConsoleW Windows Exploit ComputerName Cryptographic key crashed |
|
|
|
|
15.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12978 |
2021-10-01 09:31
|
 kellyzx.exe 37f317fa15efe727f89ad47f18938ed9
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
10.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12979 |
2021-10-01 09:33
|
 vbc.exe a0251851e3f228572dd892e7005d5126
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12980 |
2021-10-01 09:34
|
 WORD.exe 102a4d939738d2c875503b14f99c0aeb
RAT Generic Malware Antivirus DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
cloudhost.myfirewall.org(91.121.250.249) - mailcious
91.121.250.249
|
1
ET INFO Observed DNS Query to DDNS Domain .myfirewall .org
|
|
15.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12981 |
2021-10-01 09:35
|
 agent.exe 2068a3d903424475d6a7bf87c5ed3a16
PWS .NET framework Generic Malware SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName Software crashed |
|
|
|
|
14.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12982 |
2021-10-01 09:36
|
 lt.exe a352af3641e56203e59b69fa73cf116b
PWS .NET framework Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS |
|
1
|
|
|
15.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12983 |
2021-10-01 09:37
|
 blessedzx.exe bcbc4c86832c1bf89fa8521f6787642e
Generic Malware DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
blackbladeinc52.ddns.net(31.210.20.61) - mailcious
31.210.20.61
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12984 |
2021-10-01 09:38
|
 faba50s4e01t22barcode.exe c5687cde262a0776027b2f73f1266a79
NPKI Generic Malware UPX Malicious Library ASPack Malicious Packer Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 PNG Format DLL VirusTotal Malware AutoRuns Malicious Traffic Checks debugger Creates executable files unpack itself suspicious process AppData folder sandbox evasion anti-virtualization Windows |
1
http://www.yellowbo.cn/web/xylog.lg?WVQwMU1EQXhNbm9tWXowNVJqVkdOVEUyTjBVME5qQTJPVGczUVRrNFEwVkVPVGRGUVRZeE1USkdOaVprUFRVdU1DNHhMakltWmowNE1DWm5QVFFtYlQwd0ptdzlOVEF4Sm00OU1UVTRPVUU1TTBKQk5qUkJORVEzTWpWQk1VVTVNVUZGTnpZNU9EWkNRMEltYnowPQ==
|
2
www.yellowbo.cn(47.96.66.133)
47.96.66.133
|
|
|
6.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12985 |
2021-10-01 09:39
|
 vbc.exe d62969a4f821658faf7d02b6dbd994d6
Generic Malware UPX PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12986 |
2021-10-01 09:42
|
 remcos.exe 76c164f0b7f1cf159db8f378fe55008f
AgentTesla PWS .NET framework browser info stealer Generic Malware Google Chrome User Data Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection Internet API Downloader AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS keylogger |
|
1
79.134.225.105 - mailcious
|
|
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12987 |
2021-10-01 09:42
|
 oii.exe e1be4d5a120b60f3e06225f7e8bbccd2
RAT Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Remote Code Execution |
28
http://www.calmingscience.com/mjyv/?r6=88UrMb6q8kEA6d0RMNJBQg7TjSnN5axFSt02V9alnUE8WVXARanhd7Zn9ZpbXjvnPJPP0laE&CZ9=8pHxu0K - rule_id: 5654
http://www.calmingscience.com/mjyv/ - rule_id: 5654
http://www.luvnecklace.com/mjyv/?r6=d9nWK9gIaGH81JCj1TOn6Acpjx5yU8RNy3mdtKdpBGdfCLj/BDbaNBqHqAwZa6LVFNP/k/vR&CZ9=8pHxu0K
http://www.chinatowndeliver.com/mjyv/?r6=XUhyKAoNxujTTpq6c1lVw6UQrcGLXYJeNJQlydFnX5NrKnJZi3xXzQdWOhxeGOo0cSGE9W02&CZ9=8pHxu0K
http://www.anielleharris.com/mjyv/
http://www.ziototoristorante.com/mjyv/ - rule_id: 5648
http://www.productprinting.online/mjyv/?r6=dI0EVfu1T7SuYQVSFiskZOhLU8OYvItQe6UNnJ1ElFuaQLbdP5Uf2YRPyTd8+GYShGrxOpBk&CZ9=8pHxu0K - rule_id: 5637
http://www.behiscalm.com/mjyv/ - rule_id: 5634
http://www.mccorklehometeam.com/mjyv/?r6=R98Rpb+Ys7+0hNBLZTeJnFF4NkgkCgUAMyRYh/dXiy03XFnOcrWkZjimNn9sRbYS/za5FcC6&CZ9=8pHxu0K
http://www.luvnecklace.com/mjyv/
http://www.behiscalm.com/mjyv/?r6=K9FJa1ryPTd/bsjfiuRfbodFPMpyTpIbchH43KPgl0gdBdpLbzvy0KNnzkM4/ITWWD0DdyPm&CZ9=8pHxu0K - rule_id: 5634
http://www.anielleharris.com/mjyv/?r6=Vdqln5Bga6RSx61h1Kvk7xYPJlO1KgLwQnK13iOT9vNjy68/mEc8j6E46zK0xbCAzSox5p/r&CZ9=8pHxu0K
http://www.healthylifefit.com/mjyv/ - rule_id: 5644
http://www.car-insurance-rates-x2.info/mjyv/?r6=JsVmDLitPD5sN21NuRjxCxYGWX6Zun1yL1UzMyeyoC0PN1VTm+kRrJp4mrpqyvRLfa8C5kJ3&CZ9=8pHxu0K - rule_id: 5613
http://www.healthylifefit.com/mjyv/?r6=wu4G29Df/3jk6rtufY07T1aH5SRRTSPupQ0Am8+JIxBphBMLoCuvIjFknaaw90h7xGBdC+KC&CZ9=8pHxu0K - rule_id: 5644
http://www.mccorklehometeam.com/mjyv/
http://www.p60p.com/mjyv/
http://www.p60p.com/mjyv/?r6=Nc2ITi3hwuQIcyh1bMkL43y7/hZHkWWA0ujPuKcdOOsTZzLfHZK3SBjMOtbWV1AocZlKDKA1&CZ9=8pHxu0K
http://www.mabduh.com/mjyv/?r6=46trCuKNqElCtXxdD3CcU/1zXCvbbh+innazVP0/Ec93daT9L2c67QrrBUNmDwq56qbHS8kb&CZ9=8pHxu0K
http://www.dubaibiologicdentist.com/mjyv/ - rule_id: 5621
http://www.simpeltattofor.men/mjyv/?r6=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&CZ9=8pHxu0K - rule_id: 5631
http://www.productprinting.online/mjyv/ - rule_id: 5637
http://www.ziototoristorante.com/mjyv/?r6=BGF3MaDqcKXz2+ypQpBN49HcofQtIb5uumrf5yGZXgK71e6jsOADztt5ugiiGjAz+eZLHYvw&CZ9=8pHxu0K - rule_id: 5648
http://www.car-insurance-rates-x2.info/mjyv/ - rule_id: 5613
http://www.mabduh.com/mjyv/
http://www.simpeltattofor.men/mjyv/ - rule_id: 5631
http://www.chinatowndeliver.com/mjyv/
http://www.dubaibiologicdentist.com/mjyv/?r6=BKHfsn/GYCC1h//vT8riYCukHI0Zyw57gwlmm1nTEYp+2eyN1NLV8AZGtmaXrDVZIiSg94F5&CZ9=8pHxu0K - rule_id: 5621
|
28
www.car-insurance-rates-x2.info(66.29.132.69)
www.simpeltattofor.men(103.224.182.210)
www.chilestew.com() - mailcious
www.mabduh.com(104.248.158.121)
www.anielleharris.com(23.227.38.74)
www.luvnecklace.com(3.223.115.185)
www.p60p.com(104.167.94.227)
www.behiscalm.com(34.102.136.180)
www.ziototoristorante.com(199.59.242.153)
www.mccorklehometeam.com(184.168.131.241)
www.productprinting.online(108.179.246.105)
www.dubaibiologicdentist.com(198.54.117.215)
www.calmingscience.com(172.67.215.123)
www.healthylifefit.com(104.16.12.194)
www.chinatowndeliver.com(34.102.136.180)
66.29.132.69 - mailcious
104.167.94.227
184.168.131.241 - mailcious
104.16.13.194
198.54.117.215 - mailcious
34.102.136.180 - mailcious
199.59.242.153 - mailcious
104.21.51.3 - mailcious
108.179.246.105 - phishing
3.223.115.185 - mailcious
23.227.38.74 - mailcious
104.248.158.121
103.224.182.210 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
SURICATA HTTP Unexpected Request body
|
16
http://www.calmingscience.com/mjyv/
http://www.calmingscience.com/mjyv/
http://www.ziototoristorante.com/mjyv/
http://www.productprinting.online/mjyv/
http://www.behiscalm.com/mjyv/
http://www.behiscalm.com/mjyv/
http://www.healthylifefit.com/mjyv/
http://www.car-insurance-rates-x2.info/mjyv/
http://www.healthylifefit.com/mjyv/
http://www.dubaibiologicdentist.com/mjyv/
http://www.simpeltattofor.men/mjyv/
http://www.productprinting.online/mjyv/
http://www.ziototoristorante.com/mjyv/
http://www.car-insurance-rates-x2.info/mjyv/
http://www.simpeltattofor.men/mjyv/
http://www.dubaibiologicdentist.com/mjyv/
|
8.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12988 |
2021-10-01 09:42
|
 trick.exe 4668a8be8db5bc23fcd4e0b2a237658b
Emotet Gen1 UPX Malicious Library PE File OS Processor Check PE32 Dridex TrickBot VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Tofsee Kovter ComputerName DNS crashed |
6
https://186.4.193.75/lib153/TEST22-PC_W617601.7BB1C71156833FBAB1DE0E33B1C9331D/5/kps/
https://186.4.193.75/lib153/TEST22-PC_W617601.7BB1C71156833FBAB1DE0E33B1C9331D/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
https://186.4.193.75/lib153/TEST22-PC_W617601.7BB1C71156833FBAB1DE0E33B1C9331D/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/RJPBpVX7jvvD7VvtdNZdpR3lrFpX/
https://api.ip.sb/ip
https://186.4.193.75/lib153/TEST22-PC_W617601.7BB1C71156833FBAB1DE0E33B1C9331D/14/NAT%20status/client%20is%20behind%20NAT/0/
https://186.4.193.75/lib153/TEST22-PC_W617601.7BB1C71156833FBAB1DE0E33B1C9331D/14/user/test22/0/
|
6
api.ip.sb(172.67.75.172)
186.4.193.75 - mailcious
103.56.207.230
104.26.13.31
171.103.189.118
171.103.187.218
|
3
ET POLICY Signed TLS Certificate with md5WithRSAEncryption
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
6.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12989 |
2021-10-01 09:44
|
 raccon.exe 4d14cf426d5bba34e1da4a2cc98b0b57
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12990 |
2021-10-01 09:47
|
 SalmonFlora.exe e277207bfd455a387fe52aaa65f4e9b0
VMProtect Malicious Library PE File PE32 VirusTotal Malware Check memory unpack itself |
|
|
|
|
2.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|